In early August (specifically only on one day, Aug 2nd, 2016) and only for a few hours, the download mirror which a third party website, FossHub, was hosting for Classic Shell version 4.3.0 got hacked by some hackers calling themselves Peggle Crew. They did not tamper with the Classic Shell files, instead they managed to replace the installer file with another fake installer containing a trojan that when launched, corrupts the MBR (Master Boot Record) of the PC. This renders the computer unbootable.

As soon as the hack was detected, the download link on the main site http://www.classicshell.net was fixed to link to a clean installer file. Classic Shell became once again safe to download immediately after the hack was detected within a few hours and the fake installer replaced with a genuine one.

Those of who who pay attention to the UAC prompt in Windows should not have gotten infected because the authentic installer is digitally signed and shows a green UAC prompt along with the developer's name, whereas the fake one shows a bright yellow UAC prompt indicating a warning. The infection can only happen if you say Yes to the UAC prompt of the fake installer, not if you doubled click it but said No to the UAC prompt.

Here is a FAQ for those of you whose PC got affected by malware when they accidentally downloaded and ran the hacked installer on August 2nd, 2016. Anyone else downloading the current installer after August 2 or now should rest assured that it is clean and free of malware. You can verify this by checking the digital signature of the installer's properties.

How do I know I have downloaded the correct file?There are few things to watch for:

Check the file properties in Explorer – right-click -> Properties. Look for a tab named “Digital Signatures”. It should list “Ivaylo Beltchev” as the signer. The hacked file doesn’t even display the “Digital Signatures” tab.

When you run the real installer it will not immediately ask you for admin permissions. Only after you finish selecting your settings you will be asked. The hacked file asks right away.

The prompt for permissions will be blue for the real file and say "Verified publisher: Ivaylo Beltchev". The fake file will show a yellow prompt and say "Publisher: Unknown".

The fake file will of course not install Classic Shell. It will just flicker once and exit. So if you managed to install Classic Shell 4.3.0, then you had the right file and you are safe

Here's a recap of what exactly happened for those who are worried about the hack:

● This was a very new malware. At the time when it was being spread, very few anti-virus apps detected it - only Kaspersky, AVG and something else and that too, only as a generic threat, not as a specific trojan -● Classic Shell is safe once again to download. The main download is currently from another hosting service called MediaFire which was not hacked. The website hosting it at that time (FossHub) was hacked and only for a few hours on 1 particular day. Ever since, Classic Shell's installer is clean and you don't have to be worried about getting infected as long as you don't ignore the UAC prompt which shows a blue band for signed executables.

● The attack was timed by whoever hacked the installer to coincide with the release of Windows 10 Anniversary Update which was removing older versions of Classic Shell without giving any details except some unexplained "incompatibility" message in the Action Center. So users would head to the main download site and the compromised installer would infect their PC.

● This affects UEFI/GPT partitions too and makes them unbootable just like BIOS/MBR partitions. Secure Boot should not be affected. Whether your MBR is infected or GPT, it is easy to recover/fix and your data is not erased or encrypted. But the fact that it makes the PC unbootable scares novice users who have no idea how to fix it.● This attack occurred because of a breach in FossHub's security and not due to a vulnerability in Classic Shell's website or installer. They have rectified the situation. They posted an apology on Reddit: https://www.reddit.com/r/sysadmin/comments/4vzovk/fosshub_statement_regarding_2nd_august_security/ Still, Classic Shell's main hosting now uses another service, MediaFire.

● If you always use the built-in updater to update Classic Shell, it downloads from another location (MediaFire) that was not compromised. Also it is digitally signed so its authenticity can be verified.● The impact of the attack was limited. We noticed that Windows 10 was removing Classic Shell as "incompatible" and wasn't giving any details about what the incompatibility was. So an updated version of Classic Shell for Windows 10 Anniversary Update was released 2 days before the attack (2 days before the Anniversary Update became publicly available). This was done so that Windows 10 would not remove the compatible version. Classic Shell gets millions of downloads per month. Because the update was rolled out in advance, the fake installer (which did not have Classic Shell at all) was downloaded approximately around 300 times, not thousands or millions of times.● The Classic Shell installer is digitally signed so when you download it from the official website or from another download service that the website links to, you can verify the genuine vs fake installer using the Windows UAC prompt. The genuine installer will be digitally signed by Ivaylo Beltchev who is the developer of Classic Shell.

If the installer properties has a tab called "Digital signatures" and if after clicking "Details", you see that the digital signature is OK and the signer is Ivaylo Beltchev, then it is the genuine installer and is safe to run:

Hi guys, quick question.. my boot drive seems to be ok, but I seem to have lost my secondary drive, which was partitioned into E and F. Is this possible ? Btw, shows up as unallocated in Computer Management

I have a clean Windows 10 installation with UEFI/GPT partitions, and my system was not able to boot. It simply showed no entry in the bios boot menu. I'm sure it's UEFI/GPT. The bios boot menu says it is UEFI what I'm booting, and diskpart list disk says it's GPT.

Windows recovery was not able to fix the boot problem, so I tried the integrated system image restore function of Windows 10 by booting from my Windows 10 install USB stick. The USB stick was created by the Microsoft Media Creation tool. The system image was created by me before the update with the "Backup and Restore (Windows 7)" tool from within Windows.

It worked this way. I don't know what else that malware overwrote to ruin the system, so this was the most safe solution for me. Fortunately, I had that system image - I created it right before Windows 10 started to download the Anniversary update that evening.

For anyone who is not able to boot their PC or has lost secondary drive partitions, if the instructions by Ivo: viewtopic.php?f=12&t=6440 which are pretty simple to restore your MBR do not work for some reason, then with access to another clean computer, you could try creating a bootable USB or CD from any of the Live CD images with Testdisk: http://www.cgsecurity.org/wiki/TestDisk_Livecd . One of our forum members reported that using Testdisk they could fix the partition table on the compromised drive and restore the partition table completely with no issues. Do a quick scan using Testdisk and then add back the partition it finds and write it to disk. You also must rewrite the drive's infected MBR code with the Windows MBR code: https://tweakhound.com/2012/11/13/how-t ... ootloader/

The hack is apparently not fixed or you were hacked again. I downloaded your update on August 3rd, approximately 11:00 AM Moutain time (US). I experienced the problems related below and the recommended repair worked after a couple of additional reboots. No messages on screen--just a blank screen with the cursor showing before repair.

Hi guys, quick question.. my boot drive seems to be ok, but I seem to have lost my secondary drive, which was partitioned into E and F. Is this possible ? Btw, shows up as unallocated in Computer Management

This is what happened to me. That drive probably had an unused MBR. My system continued to boot but a second drive was "unallocated". It can be repaired but the Windows troubleshooting command-line method (bootrec /fixmbr) will not do it. It only works on your boot disk. I tried it and it wiped out my Linux boot menu, so beware.

I used the open source tool TestDisk to fix my partition but it is not for the faint of heart. I tried other tools but they did not correctly handle my 3TB drive or they cost too much or they did not address the actual problem. I'm sorry I can't recommend an easy fix but there may be some listed in these forums or elsewhere.

Your files should be safe but be careful with the tools you use. I used MiniTool Partition Wizard and it malfunctioned. By all appearances it was going to fix the problem but when the fix was applied, it did not correctly handle my 3TB drive. I was able to recover using TestDisk.

One final note: I ran CHKDSK on the drive after I got it working again. It reported "corrupt basic file structure" for 179 files. The files appeared to be perfectly usable and showed no problems. When CHKDSK "repaired" them, all their data was erased. Be careful. If you see these kinds of errors reported, try to backup the affected files before attempting to repair them. If you can, I advise transferring all of your files to a new drive and then reformatting your damaged disk to clear out any remaining weirdness.

If Windows boots then nothing happened to you...if don't need to be afraid for restarting fixing it is pretty easy. (and I wouldn't wonder if there would be an instant BSOD after the MBR is overwritten but I'm not sure of that)

And if you want no risk to get modified software: check if the app is signed, if available on the official website calculate and compare the md5 or sha hashes (this won't help e.g. on Fosshub if the hackers also changed those values on Fosshub) and check e.g. the size of the programm, if it is ridicilous small (< 1mb) then it could be virus in stead of a programm like classic shell with lots of features.

If Windows boots then nothing happened to you...if don't need to be afraid for restarting fixing it is pretty easy. (and I wouldn't wonder if there would be an instant BSOD after the MBR is overwritten but I'm not sure of that)

And if you want no risk to get modified software: check if the app is signed, if available on the official website calculate and compare the md5 or sha hashes (this won't help e.g. on Fosshub if the hackers also changed those values on Fosshub) and check e.g. the size of the programm, if it is ridicilous small (< 1mb) then it could be virus in stead of a programm like classic shell with lots of features.

What I mean is I have no idea if I ran the installer I had, I don't have the installer, and I'm not too keen on restarting to find out. Can I somehow examine the intactness of the MBR itself?

no it doesn't instantly BSOD when you delete/change the MBR; it waits till you restart your pc...

as far as knowing if you were hit before restarting. you might be able to find out by running msconfig (just type msconfig into the start menu)and checking the boot tab. I would Imagine that your OS wouldnt be listed there with a broken MBR; though I havn't confirmed

no it doesn't instantly BSOD when you delete/change the MBR; it waits till you restart your pc...

I gathered that much.

Jcee wrote:

as far as knowing if you were hit before restarting. you might be able to find out by running msconfig (just type msconfig into the start menu)and checking the boot tab. I would Imagine that your OS wouldnt be listed there with a broken MBR; though I havn't confirmed

@Splitwirez, while there is no quick way to see if the MBR is infected, you can open boot.wim from \sources folder of your Windows Setup disk and extract bootrec.exe from C:\Windows\system32 inside boot.wim to your current Windows installation. Then run bootrec.exe /fixmbr from within Windows.

The way to avoid getting infected from such a hack is to pay attention to the UAC prompt shown by the installer and make sure it's signed by Ivo.

I know is already fixed but I wonder why antivirus/antimalware programs didn't detect it at first.

For any malware to be detected, its signature has to be present in the AV vendor's app. This malware was new. AVG, Kaspersky and some other AV vendor detected it as a generic threat. And Windows UAC prompt showed it with a yellow band and as coming from an unknown publisher.

@Splitwirez, while there is no quick way to see if the MBR is infected, you can open boot.wim from \sources folder of your Windows Setup disk and extract bootrec.exe from C:\Windows\system32 inside boot.wim to your current Windows installation. Then run bootrec.exe /fixmbr from within Windows.

...k...I didn't quite follow that...

Gaurav wrote:

The way to avoid getting infected from such a hack is to pay attention to the UAC prompt shown by the installer and make sure it's signed by Ivo.

Problem is, I don't even remember if I ran the installer, nevermind what the UAC prompt showed. I checked the signature after reading the OP and it showed that it was legit...but I'm still feeling really uneasy about this...I think I'll just skip this update and wait for 4.3.1 or whatever ;~;

Well, no, you can't skip the update if you already ran the installer...If you are infected, the next reboot will fail. If you are not that confident everything is OK, I would back up the important files to an external drive, cloud, or whatever, and then do a test restart.

I have not done anything to prevent further attacks. The compromised FossHub site is down, and as far as I can tell Mediafire hasn't been hacked. Since I don't host the files on my home machine (it would require terabytes of bandwidth each month), there is very little I can do to control the security of the download service.

Just an idea, while it is good to have the warning on the main website I feel like it would make a crap ton more sense for it to be moved from the "What is Classic Shell?" section to the "News" section to the right. Where it is currently is very crowded with other information and it just doesn't seem that important.

Well, no, you can't skip the update if you already ran the installer...If you are infected, the next reboot will fail. If you are not that confident everything is OK, I would back up the important files to an external drive, cloud, or whatever, and then do a test restart.

I'm pretty sure I didn't run the installer, and I was implying that if I did, I don't plan to run any installer for this update again ._.

Also I fished the installer out of my recycle bin to check the signature. This is what it said:is that okay? And should I restart just to be sure?

Ivo wrote:

I have not done anything to prevent further attacks. The compromised FossHub site is down, and as far as I can tell Mediafire hasn't been hacked. Since I don't host the files on my home machine (it would require terabytes of bandwidth each month), there is very little I can do to control the security of the download service.

Yes, your file is fine, and I recommend you install it. There are some fixes and new skin features.

As for service providers, there aren't that many that offer multi-terabyte bandwidth at a price I can afford. Mediafire is still pricy, but not unreasonably so. FossHub is free but shows one ad per download. Everything else is either prohibitively expensive or has tons of ads where you can easily click on the wrong thing and get an extra browser toolbar or two.

Yes, your file is fine, and I recommend you install it. There are some fixes and new skin features.

...err...yeah, if I can get myself to do so without worrying like crazy afterwards. Honestly I trust everything you say, but that doesn't make a darned bit of difference to how scared I was and still am.

Ivo wrote:

As for service providers, there aren't that many that offer multi-terabyte bandwidth at a price I can afford. Mediafire is still pricy, but not unreasonably so. FossHub is free but shows one ad per download. Everything else is either prohibitively expensive or has tons of ads where you can easily click on the wrong thing and get an extra browser toolbar or two.

...what about Mega? AFAIK they don't show any ads and are pretty much all about security or encryption or whatever...then again I've yet to see anything about pricing, so idk .-.

Okay so, for anyone who needs some extra confidence, I got hit by it. I was stupid and didn't stop when the digital signature wasn't there. Though I did acknowledge it by thinking "wasn't this signed last time I updated? Oh well."Unfortunately for me, something else happened when I got infected. Avast, my antivirus, caused me to bluescreen due to an incompatibility with the Anniversary update on newer Intel CPUs. So even when I fixed my master boot record, I was stuck in a boot loop and had no idea what to do.

But the only reason I discovered the boot loop is because I fixed my master boot record, and it's really easy.I simply borrowed a family member's laptop to make myself a boot disk (just download the Windows ISO of your system and slap it on a disk or USB drive), used it to get into the recovery environment for Windows, opened the command prompt, and used the command "bootec /fixmbr". That got me to the windows loading screen, which gave me a BSOD every time because of Avast.

All in all, don't panic. The boot record is really easy to fix with little technical knowledge, and none of your personal files will be tampered with.

I installed CS about 2-3 days ago, but I downloaded it from here, the main page, and I didn't got this malware thing.

By the way, you should edit the main message. Hackers are the GOOD guys, Cyber Criminals are the BAD guys.Hackers = PoliceCyber Criminals = Robbers

So saying "a hacker did this bad thing" is a contradiction. A cyber criminal did.

Get your terminology right. "hacker" is a generic term for people that modify software typically without acces to the source code.

Black Hat Hackers = Bad GuysWhite Hat Hackers = Good Guys

Was just about to comment on this

Though 'white hat' hackers are 'good' most of what they do is still illegal.. and obviously subjectively good.... Its even possible that the recent hackers that hacked classic shell see themselves as white-hats because they supposedly did it to draw attention to a major hole in Fosshubs security. Yes rendering thousands of computers Inoperable is bad, but the fix is fairly simple; and causing a splash is sometimes the only way to get noticed. Also it could have been way worse.. (like wiping the whole hard drive, or stealthily stealing credit-card info)

Get your terminology right. "hacker" is a generic term for people that modify software typically without access to the source code.

Black Hat Hackers = Bad GuysWhite Hat Hackers = Good Guys

Yeah, I know exactly what a hacker is. And a hacker is "good" because he modifies things in order to learn or just for fun, legal or illegal. A hacker never tries to mess other people computer, a hacker never tries to do evil things.

So, hacker = police, and cyber criminal = robber.

You could say "but a police can be corrupted and be a bad guy". Yeah, you're right, that's your "black hat hacker", but you know, that¡s atypical, and normally police do good things.

This attack was intended to damage computer's all over the world, so a hacker does not fit in that category.

Personally I would define a hacker as: Anyone who changes or modifies anything through un-conventional means, often to gain an un-anticipated result

Webster however defines a hacker as : a person who secretly gets access to a computer system in order to get information, cause damage, etc. : a person who hacks into a computer system(Really a stupid, and simplified answer, but it definitely has a negative connotation)

Because the definition of hacker is so hard to pin down.. lets just agree to disagree

Personally I would define a hacker as: Anyone who changes or modifies anything through un-conventional means, often to gain an un-anticipated result

Webster however defines a hacker as : a person who secretly gets access to a computer system in order to get information, cause damage, etc. : a person who hacks into a computer system(Really a stupid, and simplified answer, but it definitely has a negative connotation)

Because the definition of hacker is so hard to pin down.. lets just agree to disagree

Well, that's one horrible definition, which is totally wrong.

If you ask any hacker out there, they will always say "we're sick of explaining that hackers are just normal people who just mess around devices to create or invent something new, add features it didn't have, do things the manufacturer didn't want us to do, many times kind of "illegal" because they break some terms or whatever. But the ultimate goal is just adding things for fun and use devices in a way they weren't intended to be used. For example, a hacker would modify the Wii so it can read PS3 games, or modify a PS4 so it can be used as a toaster, or add a WiFi card to a PS1 so you can watch YouTube through it. A hacker would never try to hurt anyone's devices or steal your information, just like a policeman would never rob a bank.

To sum up, hacker can't have any negative connotation, as police can't have any negative connotation by definition. Sure a police can commit a crime or a hacker can commit a cyber attack like this one, but then automatically the hacker wouldn't be considered a hacker anymore, but a cyber criminal.

It's like saying an innocent man killed a kid last night. That's exactly what we are saying. The time you kill someone, you automatically stop being innocent and you become a criminal.

you should run all unknown and known software under Sandboxie control to see if it is nasty in nature,at least if it is bad you can easy remove it with out any system changes made.Also you should run your browser under sandboxie control at all times. http://www.sandboxie.com/

I had problems yesterday (August 22, 2016). I kept getting a pop up saying I needed to update Classic Shell, and I will admit we were driving and I wasn't paying alot of attention, was just trying to get some work done (I was a passenger), so clicked yet, then got stopped because an admin had to approve the upgrade. It didn't look like either of the examples shown from the original problem, but after 3 reboots yesterday I suddenly had no internet, airplane mode was stuck in on. I THINK this had something to do with the stupid Windows 10 Anniversary update and possibly Classic Shell being hacked as well, but in the end I had to restore my software to it's original factory standards and am now downloading all my software again. Just wanted to mention this in case anyone else had something similar going on now.

I just had an issue of a similar nature (8-24-16) where the recent windows 10 update removed the software without any warning due to some 'incompatibility'. I double-checked the file signature from the download as recommended above and forced the install (windows 10 start menu destroys my workflow, it's just so distracting and obnoxious to use) and it's working just fine on a Dell XPS 13. No issues so far.

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum